introduction to fido alliance
TRANSCRIPT
INTRODUCTION TO FIDO ALLIANCEFIDO Seminar, New York City, 31 March 2016
Brett McDowell, Executive Director
All Rights Reserved. FIDO Alliance. Copyright 2016.
The Problem
The Solution
The Alliance
The Market
781 data breaches in 2015
Data Breaches…
170 million records in 2015 (up 50%)
$3.8 million cost/breach (up 23% f/2013)
“A look through the details of these
incidents shows a common sequence of
phish customer ≥
get credentials ≥
abuse web application ≥
empty bank/bitcoin account.”
2015 Data Breach Investigations Report
The world has a PASSWORD PROBLEM
5Confidential
ONE-TIME PASSCODESImprove security but aren’t easy enough to use
Still Phishable
User Confusion
TokenNecklace
SMS Reliability
6Confidential
WE NEED A
NEW MODEL
WE CALL OURNEW MODEL
Fast IDentity Onlineonline authentication using
public key cryptography
The Problem
The Solution
The Alliance
The Market
THE OLDPARADIGM
USABILITYSECURITY
THE FIDO PARADIGM
Poor Easy
Weak
Str
ong
USABILITY
SEC
UR
ITY
HOW OLD AUTHN WORKS
ONLINE
The user authenticates themselves online by presenting a human-readable “shared secret”
HOW FIDO AUTHN WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates “locally” to their device
(by various means)
The device authenticates the user online using
public key cryptography
Passwordless Experience (UAF Standards)
Second Factor Experience (U2F Standards)
*There are other types of authenticators
Second Factor Challenge
1
Authenticated
Online
3
Insert Dongle* / Press Button
2
Biometric Verification*
2
Authentication Challenge
1
?
Authenticated
Online
3
OPEN STANDARDS R.O.I.FIDO-ENABLE ONCE
GAIN EVERY DEVICE YOU TRUSTNO MORE ONE-OFF INTEGRATIONS
USABILITY, SECURITY, R.O.I. and
PRIVACY
No 3rd Party in the Protocol
No Secrets on the Server Side
Biometric Data (if used) Never Leaves Device
No Link-ability Between Services
No Link-ability Between Accounts
Better security for online services
Reduced cost for the enterprise
Simpler and safer for consumers
The Problem
The Solution
The Alliance
The Market
The FIDO Alliance is an open
industry association of over 250
global member organizations
Physical-to-digital identity
User Management
Authentication
Federation
Single
Sign-On
Passwords Risk-BasedStrong
MODERN
AUTHENTICATION
FIDO SCOPE
FIDO Alliance Mission
DevelopSpecifications
OperateAdoption Programs
Pursue Formal Standardization
1 2 3
Board Members
23 23 23
Alliance Working Groups
Standards & Technology
1. FIDO UAF
2. FIDO U2F
3. FIDO 2.0
4. Certification
Market Adoption
5. Marketing
6. Privacy & Public Policy
7. Deployment-at-Scale
8. FIDO China
https://fidoalliance.org/working-groups
25
Industry Partners
Our mission is highly complementary to many other associations around the world.
25
FIDO DEVELOPMENT TIMELINE
FIDO 1.0 FINALFirst
DeploymentsSpecificationReview Draft
FIDO Ready Program
AllianceAnnounced
FEB2013
6 Members
DEC2013
FEB2014
FEB-OCT2014
DEC 92014
MAY2015
TODAY>250
Members
MarketAdoption
JUNE2015
CertificationProgram
New U2FTransports
The Problem
The Solution
The Alliance
The Market
“PayPal and Samsung Enable Consumer
Payments with Fingerprint
Authentication on New Samsung
Galaxy S5”
Feb 24, 2014
“Secure Consumer Payments Enabled for
Alipay Customers with Easy-to-Use
Fingerprint Sensors on Recently-Launched
Samsung Galaxy S5”
September 17, 2014
“Google Launches Security Key,
World’s First Deployment of Fast
Identity Online Universal Second
Factor (FIDO U2F) Authentication”
October 21, 2014
2014 FIDO ADOPTION
“Microsoft Announces FIDO
Support Coming to Windows 10”
Feb 23, 2015
“Qualcomm launches
Snapdragon fingerprint
scanning technology”
March 2, 2015
“Google for Work announced
Enterprise admin support for
FIDO® U2F ‘Security Key’”
April 21, 2015
“Largest mobile network in
Japan becomes first wireless
carrier to enhance customer
experience with natural,
simple and strong ways to
authenticate to DOCOMO’s
services using FIDO
standards.”
May 26, 2015
2015 FIDO ADOPTION“Today, we’re adding Universal 2nd Factor (U2F) security
keys as an additional method for two-step verification,
giving you stronger authentication protection.”
August 12, 2015
“[T]he technology
supporting fingerprint
sign-in was built
according to FIDO
(Fast IDentity Online)
standards.”
September 15, 2015
“GitHub says it
will now handle
what is called
the FIDO
Universal 2nd
Factor, or U2F,
specification.”
October 1, 2015
“NTT DOCOMO is now
offering FIDO-enabled
biometric authentication for
customers using Apple iOS
devices”
Mar 7, 2016
2016 FIDO ADOPTION“FIDO Universal 2nd Factor (U2F) authentication is now
being used to allow all UK citizens to easily and securely
access GOV.UK Verify digital public services.
Mar 23, 2016
“BC Card provides Token
and FIDO services to
strengthen security and
safety of Samsung Pay”
March 1, 2016
“KEB Hana’s new solution
is notably FIDO Certified.”
February 3, 2016
Deployments are enabled by
FIDO® Certified productsavailable today
Leading OEMs Now Shipping FIDO Certified Devices
Tab S, Tab S2 S5, Mini Note 4, 5 Alpha Note Edge S6, S6 Edge
Sharp Aquos Zeta Sony Experia Z5 Fujitsu Arrows
(Iris Biometrics)
Samsung
LG V10 & G5
Available to anyone
Ensures interoperability
Promotes the FIDO
ecosystem
Steps to certification:1. Conformance Self-Validation
2. Interoperability Testing
3. Certification Request
4. Trademark License (optional)
fidoalliance.org/certification
JOIN THE FIDO ECOSYSTEM
JOIN THE FIDO ALLIANCE
All Rights Reserved. FIDO Alliance. Copyright 2016.
THANK YOU FOR COMING!
@FIDOAlliance
www.fidoalliance.org